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United  States 

General  Accounting  Office 

Washington,  D.C.  20548 


General  Government  Division 

B-278067 

March  6,  1998 

Honorable  John  D.  Dingell 
Ranking  Minority  Member 
Committee  on  Commerce 
House  of  Representatives 

Dear  Mr.  Dingell: 

On  July  21, 1997,  you  asked  us  to  review  the  Securities  and  Exchange 
Commission’s  (sec)  report  on  the  status  of  its  efforts  to  ensure  that  the 
computer  systems  it  uses,  as  well  as  those  used  by  participants  in  the 
securities  industry,  are  ready  for  the  date  changeover  in  the  year  2000.  sec 
issued  its  report*  in  response  to  your  request  that  it  report  annually  on  the 
progress  made  in  addressing  this  issue. 

Your  letter  specifically  requested  that  we  review  (1)  sec’s  June  1997  report 
on  the  status  of  Year  2000  compliance  by  sec,  the  securities  industry,  and 
public  companies  to  identify  any  ways  that  future  reports  might  be 
improved;  (2)  the  adequacy  of  sec’s  oversight  of  the  Year  2000  remediation 
efforts  directed  at  its  internal  systems,  self-regulatory  organizations  (sro), 
broker-dealers,  and  other  regulated  entities;  and  (3)  the  guidance  sec  has 
provided  to  public  companies  for  disclosing  Year  2000  remediation  efforts. 

We  agreed  with  your  office  that  this  report  would  focus  only  on  ways  to 
improve  the  content  and  format  of  future  sec  Year  2000  reports  to 
Congress,  to  provide  sec  as  much  time  as  possible  to  incorporate  any 
changes  into  its  next  report.  We  intend  to  address  the  remaining  issues 
discussed  in  your  letter  separately  in  a  subsequent  review. 


Results  in  Brief 


sec’s  first  report  in  June  1997  provided  an  overview  of  the  efforts  that  sec 
and  various  industry  participants  had  made  to  address  Year  2000  issues, 
but  did  not  contain  the  specific,  detailed  information  that  Congress  will 
need  to  assess  progress  as  the  year  2000  approaches.  According  to  an 
agency  official,  sec  had  collected  more  detailed  information  from  some 
market  participants,  such  as  SROs.  The  official  said  that  sec  did  not  include 
this  information  in  the  report  because  sec  had  been  focused  on  assessing 
the  extent  to  which  market  participants  were  aware  of  the  Year  2000 
problem  and  had  begun  taking  steps  to  address  it. 


^Report  to  the  Congress  on  the  Readiness  of  the  United  States  Securities  Industiy  and  Public 
Companies  to  Meet  the  Information  Processing  Challenges  of  the  Year  20QQ>  Staff  of  SEC  (June  1997). 
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The  Office  of  Management  and  Budget’s  (omb)  reporting  format  offers 
guidance  on  the  type  of  detailed  information  sec  might  provide  Congress 
in  future  reports.  Such  information  includes  (1)  the  systems  considered 
critical  to  the  continued  functioning  of  the  U.S.  securities  markets;  (2)  the 
progress  made  in  moving  these  systems  through  the  various  phases  of 
achieving  Year  2000  compliance;  (3)  the  time  frames  required  to  complete 
each  phase;  (4)  the  efforts  necessary  to  address  systems  that  are  behind 
schedule;  and  (5)  the  contingency  plans  for  systems  that  may  not  be  ready 
in  time.  Also,  as  the  year  2000  approaches  and  less  time  to  make 
adjustments  is  available,  sec’s  yearly  progress  updates  may  be  too 
infrequent  for  congressional  needs. 


Background 


To  function  properly,  the  U.S.  securities  industry  and  capital  markets 
require  timely  and  accurate  flows  of  electronic  information.  This 
information  is  transmitted  through  and  processed  within  a  vast  network  of 
computerized  systems  managed  by  stock,  options,  and  futures  exchanges; 
broker-dealers;  banks;  mutual  funds;  and  various  other  organizations. 
These  systems  handle  such  tasks  as  displaying  price  quotations,  routing 
orders  to  buy  or  sell,  executing  trades,  and  transferring  securities  and 
payments  (clearance  and  settlement).  In  addition,  sec  has  internal  systems 
that  help  it  perform  its  regulatory  responsibilities.  All  of  these  systems  are 
potentially  vulnerable  to  errors  or  malfunction  as  a  result  of  the  impending 
date  changeover. 

The  Year  2000  problem  is  rooted  in  the  way  dates  are  recorded  and 
computed  in  many  computer  systems.  For  the  past  several  decades, 
systems  have  typically  used  two  digits  to  represent  the  year,  such  as  “97” 
to  represent  1997,  in  order  to  conserve  on  electronic  data  storage  and 
reduce  operating  costs.  With  this  two-digit  format,  however,  the  year  2000 
is  indistinguishable  from  1900,  2001  from  1901,  and  so  on.  As  a  result  of 
this  ambiguity,  system  or  application  programs  that  use  dates  to  perform 
calculations,  comparisons,  or  sorting  may  generate  incorrect  results  when 
working  with  years  after  1999.  For  example,  a  broker-dealer  with  a  system 
that  is  not  comphant  may  be  unable  to  receive  payment  information  in 
January  2000  for  securities  that  it  sold  in  December  1999  if  its  computer 
systems  fail  to  accept  incoming  data  with  a  Year  2000  date.  In  a  speech  to 
international  bankers,  the  president  of  the  New  York  Federal  Reserve 
Bank  indicated  that  the  Year  2000  software  date  change  poses  a  major  risk 
for  world  financial  markets  and  that  the  world  economy  could  be  damaged 
if  efforts  to  address  the  Year  2000  problem  are  not  carried  out  correctly. 
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SEC  is  the  primary  federal  agency  responsible  for  overseeing  the  securities 
markets  in  the  United  States.  It  promulgates  regulations,  reviews  market 
operations,  conducts  inspections  of  market  participants,  and  takes 
enforcement  actions  in  response  to  violations  of  the  securities  laws  and 
accompanying  regulations.  The  securities  laws  allow  sec  to  delegate  some 
of  its  responsibilities  to  the  entities  that  operate  the  various  stock  and 
options  markets  as  sros.  sros  develop  and  enforce  rules  for  their 
members.  They  include  the  New  York  Stock  Exchange,  the  National 
Association  of  Securities  Dealers,  and  other  regional  securities  exchanges 
that  maintain  the  physical  securities  or  their  electronic  equivalent.  The 
SROS  directly  oversee  their  member  broker-dealers,  which  buy  and  sell 
securities  on  behalf  of  customers,  sec  oversees  the  sros  as  well  as 
investment  companies  that  sell  mutual  funds,  investment  advisers  who 
dispense  investment  advice  or  manage  customer  funds,  and  transfer 
agents  who  maintain  records  on  behalf  of  companies  that  issue  securities. 
Consequently,  sec  and  the  sros  have  primary  responsibility  for  ensuring 
that  Year  2000  problems  in  the  securities  industry  do  not  adversely  affect 
individual  investors  or  the  securities  markets. 

Various  organizations  provide  guidance  for  assessing,  planning,  and 
managing  Year  2000  readiness  programs.  For  example,  we  and  other 
organizations,  such  as  information  technology  consulting  firms,  have 
issued  guidance  for  agencies  and  firms  seeking  assistance  in  formulating 
their  Year  2000  remediation  efforts.  Our  guidance  on  addressing  the  Year 
2000  problem,  contained  in  Year  2000  Computing  Crisis:  An  Assessment 
Guide  (gao/aimd-10.1.14.  Sept.  1997),  incorporates  guidance  and  practices 
identified  by  leading  organizations  in  the  information  technology  industry. 
Our  assessment  guide  recommends  that  organizations  proceed  through  a 
five-phased  approach  to  resolving  their  Year  2000  computing  issues.  These 
phases  are  awareness,  assessment,  renovation,  validation,  and 
implementation,  sec  appears  to  be  using  a  similar  approach  but  has 
organized  its  program  into  six  phases  by  dividing  the  validation  phase  into 
internal  testing  and  integrated  testing.^ 

In  May  1997,  omb  issued  a  format  for  federal  agencies  to  report  on  the 
progress  of  their  Year  2000  efforts.®  Specifically,  omb  has  asked  that  each 
agency  report  its  total  number  of  mission-critical  systems;  the  number  that 
are  currently  Year  2000  compliant;  and  the  progress  made  in  replacing. 


^The  terminology  that  SEC  uses  to  describe  its  approach  also  differs  in  one  other  area — the  agency's 
third  phase  is  called  remediation,  whereas  our  assessment  guide  refers  to  this  phase  as  renovation. 

•'^Memorandum  for  Heads  of  Selected  Agencies:  Computer  Difficulties  Due  to  the  Year  2000 — Progress 
Reports,  Executive  Office  of  the  President,  OMB  (Washington,  D.C.:  May  7, 1997). 
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repairing,  or  retiring  those  systems  that  are  not  yet  compliant.  Although 
the  guidance  applies  to  a  large  number  of  federal  agencies,  sec  was  not 
one  of  the  agencies  required  to  report. 

The  Securities  Industry  Association,  an  organization  that  represents  a 
large  segment  of  the  securities  industry,  is  playing  an  important  role  in 
coordinating  the  industry’s  Year  2000  efforts.  This  association  has 
established  a  steering  committee — ^made  up  of  representatives  from 
various  SROs,  broker-dealers,  investment  companies,  third  party  software 
vendors,  and  others — ^to  develop  a  strategy  for  industry  remediation  and 
coordinated  testing  schedules. 


Scope  and 
Methodology 


To  evaluate  how  sec’s  report  discussed  the  agency’s  efforts  to  address  the 
Year  2000  problem  for  its  internal  systems  and  identify  any  ways  that 
future  reports  could  be  improved,  we  interviewed  officials  in  sec’s  Office 
of  Information  Technology.  We  also  reviewed  internal  reports,  plans,  and 
timetables  concerning  the  agency’s  efforts  to  repair  its  own  systems.  To 
evaluate  how  sec’s  report  discussed  the  efforts  of  market  participants  to 
address  the  Year  2000  problem,  we  interviewed  sec  officials  in  the  various 
divisions  and  offices  within  the  agency  responsible  for  overseeing  sros, 
broker-dealers,  investment  companies,  investment  advisers,  and  other 
market  participants.  We  also  reviewed  documents  sec  had  collected  from 
market  participants  to  assess  what  type  of  information  the  agency  had 
analyzed  and  thus  could  summarize  in  future  reports.  In  addition,  we 
assessed  the  extent  to  which  sec’s  report  contained  information  that 
related  to  the  various  criteria  set  out  in  our  own  guidance  for  addressing 
Year  2000  issues  and  in  the  omb  guidance  for  selected  federal  agencies 
reporting  on  their  Year  2000  efforts. 

We  requested  comments  on  a  draft  of  this  report  from  the  Chairman,  sec. 
SEC  provided  written  comments,  which  are  discussed  at  the  end  of  this 
report  and  reprinted  in  appendix  II.  sec  also  suggested  technical  changes, 
which  we  incorporated  where  appropriate.  We  conducted  our  review  from 
August  1997  through  January  1998  in  accordance  with  generally  accepted 
government  auditing  standards. 
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SEC’s  Report 
Provided  an  Overview 
of  Securities  Industry 
Efforts  to  Prepare  for 
the  Year  2000 


sec’s  June  1997  report  provided  an  overview  of  its  own  and  industry 
participants’  efforts  to  prepare  for  the  year  2000.  To  assemble  the  report, 
SEC  formed  a  task  force  that  included  representatives  of  each  of  its  major 
operating  divisions.  These  divisional  representatives  contacted  various 
market  participants  under  the  representatives’ jurisdiction  by  letter  or 
telephone,  requested  and  reviewed  documents  provided  by  these 
participants,  and  discussed  Year  2000  issues  as  part  of  on-site 
examinations  of  some  participants.  They  compiled  the  report  from  the 
information  provided  and  structured  it  to  address  the  specific  questions 
you  raised  in  your  December  6, 1996,  letter  that  requested  annual  sec 
progress  reports. 


sec’s  report  provided  a  high-level  description  of  the  status  of  Year  2000 
remediation  efforts  for  sec  internal  systems,  including  detailed  information 
on  the  status  of  sec  mission-critical  systems.  For  mission-critical  systems, 
the  report  discussed  the  total  number  of  systems,  how  many  are  currently 
Year  2000  compliant,  and  how  many  are  not  comphant  and  will  be  either 
replaced  or  renovated.  The  report  also  provided  sec’s  schedule  for 
completing  some  of  the  phases  of  the  remediation  process  for 
mission-critical  systems,  sec  did  not  report  the  status  of  its  critical  internal 
systems  in  relation  to  its  six-phased  approach  for  achieving  Year  2000 
readiness.  Indicating  the  status  of  its  critical  systems  in  relation  to  the  six 
phases  would  provide  a  more  structured  means  to  assess  the  progress  sec 
has  made  in  addressing  the  Year  2000  problem  for  its  internal  systems. 


The  report  also  described  sec’s  efforts  to  promote  awareness  of  the  Year 
2000  problem  throughout  the  securities  industry.  It  included  a  listing  of  the 
major  organizations  that  sec  contacted  vsdthin  the  securities  industry  and  a 
description  of  how  it  coordinated  its  efforts  with  these  organizations  to 
ensure  that  systems  throughout  the  securities  industry  are  being  readied 
for  the  year  2000.  The  organizations  contacted  included  associations  that 
represented  sros,  broker-dealers,  transfer  agents,  investment  companies, 
and  investment  advisers.  The  report  also  provided  a  discussion  of  issues 
relating  to  public  company  financial  statements,  including  auditing, 
auditor  independence,  and  other  accounting  considerations.  Finally,  the 
report  discussed  sec’s  guidance  to  public  companies  regarding  the  extent 
to  which  these  companies  should  include  information  in  their  public 
disclosure  filings  if  the  costs  or  consequences  of  the  Year  2000  problem 
would  have  a  material  effect  on  reported  financial  information. 
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SEC’s  Report  Did  Not 
Include  Detailed 
Information  on  Major 
Systems  Critical  to  the 
Continued 
Functioning  of  the 
U.S.  Securities 
Markets 


Although  it  provided  an  overview  of  the  status  of  its  o-wn  and  securities 
industry  participants’  efforts  to  address  the  Year  2000  problem,  the  report 
did  not  identify  those  systems  that  might  be  critical  to  the  continued 
functioning  of  the  U.S.  securities  markets.  Furthermore,  it  did  not  provide 
sufficient  information  about  the  timing  and  status  of  efforts  by  sros, 
broker-dealers,  investment  companies,  and  other  market  participants  to 
address  their  systems.  In  addition,  it  did  not  discuss  what  efforts  will  be 
made  to  address  systems  or  organizations  that  have  fallen  behind  schedule 
or  what  contingency  plarming  is  occurring  to  address  systems  that  will  not 
be  ready  in  time.  Such  information  is  being  required  by  omb  from  other 
federal  agencies  and  provides  a  more  complete  picture  of  Year  2000 
readiness. 

According  to  our  assessment  guide,  identiftdng  and  assessing 
mission-critical  systems  are  important  because  an  enterprisewide 
inventory  of  information  systems  and  their  components  provides  the 
necessary  foundation  for  Year  2000  program  planning.  Identifying  and 
addressing  Year  2000  problems  in  critical  systems  are  essential  to  ensuring 
that  securities  market  operations  continue  without  disruption  and  could 
also  help  market  participants  focus  on  their  most  critical  systems  as  part 
of  their  overall  efforts.  Since  May  1997,  omb  has  required  selected  federal 
agencies  to  report  on  the  total  number  of  mission-critical  systems  each 
has;  the  number  of  such  systems  that  are  currently  Year  2000  compliant; 
and  whether  remaining  systems  are  being  replaced,  repaired,  or  retired. 

sec’s  report  identified  the  number  of  internal  systems  sec  considered 
critical  to  its  operations,  but  did  not  provide  similar  information  on  market 
participants’  systems  considered  critical  to  the  continued  functioning  of 
the  U.S.  securities  markets,  sec  officials  said  that  they  had  determined 
whether  SROs  had  conducted  detailed  inventories  and  identified  critical 
systems  because  of  the  importance  of  these  entities  to  the  securities 
markets.  The  officials  said  that  they  generally  had  not  collected  similar 
information  from  market  participants  such  as  broker-dealers  or 
investment  companies  because  they  had  concentrated  on  ensuring  that 
these  participants  were  aware  of  and  beginning  to  focus  on  Year  2000 
problems.  In  addition,  the  officials  said  they  also  had  begim  identifying  the 
steps  these  participants  had  taken  to  address  the  problems.  However,  they 
did  not  report  the  extent  to  which  market  participants’  systems  had 
progressed  through  sec’s  six-phased  process. 

An  SEC  official  also  told  us  that  sec  did  not  include  more  detailed 
information  on  market  participants’  systems  in  its  report  because  the 


Page  6 


GAO/GGD/AIMD-98-51  SEC  Year  2000  Report 


B-278067 


participants  considered  the  information  to  be  sensitive  and  sec  had 
promised  to  maintain  its  confidentiality.  However,  it  may  be  possible  to 
report  more  detailed  information  without  compromising  the 
confidentiality  of  data  from  specific  market  participants.  One  way  to  do  so 
would  be  to  report  summary  data  by  type  of  securities  market  participant, 
with  separate  breakouts  grouping  the  numbers  of  systems  managed  by 
industry  segments,  such  as  sros,  broker-dealers,  investment  companies, 
investment  advisers,  or  transfer  agents.  This  would  provide  more  detail 
•  without  identifying  specific  data  or  market  participants.  To  indicate  the 
status  of  systems  most  likely  to  have  a  significant  impact  on  the  continued 
functioning  of  the  U.S.  securities  markets,  sec  could  group  the  summary 
data  by  some  measure  of  their  size  or  importance  to  the  market,  such  as 
the  percentage  of  total  market  trading  volume  or  market  capitalization  that 
each  grouping  represented.  Appendix  I  shows  examples  of  ways  to  report 
this  information  for  the  securities  industry  based  on  omb’s  suggested 
reporting  format. 

sec’s  June  1997  report  also  did  not  indicate  time  frames  that  market 
participants  are  following  for  completing  the  various  phases  necessary  to 
address  the  Year  2000  problem.  For  example,  our  assessment  guide 
indicates  that  organizations  should  have  been  finished  with  the  first  two 
phases  of  the  process — ^awareness  and  assessment — ^by  around  mid-1997 
and  should  already  have  initiated  activities  to  renovate  systems  with 
date-related  deficiencies.  According  to  sec  officials,  they  have  generally 
asked  market  participants  to  describe  the  expected  time  frames  associated 
with  each  organization’s  Year  2000  readiness  program,  and  sec  intends  to 
track  these  organizations’  progress  against  these  time  frames  as  part  of  its 
oversight.  For  example,  sec  intends  to  track  most  organizations  against  the 
time  frames  established  by  the  Securities  Industry  Association,  which  it 
considered  to  be  more  aggressive  than  the  time  frames  established  by 
other  organizations,  such  as  omb.  However,  this  information  was  not 
included  in  the  June  1997  report.  Such  information  would  provide  an 
essential  measure  of  progress  for  critical  systems. 

sec’s  report  also  did  not  provide  information  concerning  the  steps  to  be 
taken  to  address  systems  or  organizations  that  have  fallen  behind  schedule 
in  addressing  the  Year  2000  problem,  omb  requires  selected  federal 
agencies  to  include  exception  reports  in  their  annual  and  quarterly  reports 
for  mission-critical  systems  that  are  being  replaced  or  repaired  and  are  at 
least  2  months  behind  schedule,  omb  expects  these  exception  reports  to 
include  an  explanation  of  why  the  systems  are  behind  schedule,  a 
description  of  what  is  being  done  to  accelerate  the  effort,  a  new  schedule 
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for  replacement  or  completion  of  the  remaining  phases,  and  a  description 
of  the  funding  and  other  resources  necessary  to  achieve  compliance.  The 
reporting  of  such  information  allows  omb  to  make  an  assessment  of 
whether  the  steps  being  taken  to  correct  such  systems  are  adequate  for 
getting  them  back  on  schedule. 

sec’s  report  also  did  not  contain  sufficient  information  to  assess  the  level 
of  contingency  planning  that  it  and  market  participants  are  conducting  as 
part  of  preparing  for  the  year  2000.  sec  officials  said  that  securities  market 
participants  were  generally  not  far  enough  along  in  the  overall  Year  2000 
process  to  be  involved  in  detailed  contingency  planning  yet,  but 
recognized  its  importance.  Because  the  year  2000  is  less  than  2  years  away, 
contingency  planning  for  systems  that  will  not  be  ready  is  an  important 
part  of  any  organization’s  preparations.  As  noted  in  our  assessment  guide, 
correcting  the  Year  2000  problem  is  difficult  because  systems  firequently 
consist  of  multiple  programs,  operating  systems,  computer  languages,  and 
hardware  platforms.  Resolving  date  coding  problems  for  computer 
systems  is  a  labor-intensive  and  time-consuming  process,  and  some 
systems,  portions  of  systems,  or  instances  of  date  dependencies  may  be 
overlooked  during  the  remediation  process.  Therefore,  having  soimd 
contingency  plans,  which  involves  identifying  or  designing  alternative 
means  for  processing  information,  will  be  important  for  ensuring  the 
continued  functioning  of  the  securities  markets.  Developing  and  reporting 
on  such  plans  soon  might  help  reveal  certain  alternatives  or  contingencies 
to  be  unworkable,  too  expensive,  or  otherwise  impractical. 


Annual  Reporting  May 
Not  Be  Adequate  as 
the  Year  2000 
Approaches 


Monitoring  an  organization’s  efforts  to  ensure  that  its  computer  systems 
are  ready  will  become  even  more  critical  as  the  year  2000  draws  nearer.  In 
this  regard,  annual  reports  from  sec  may  not  provide  sufficiently  timely 
information.  Recognizing  the  time-critical  nature  of  the  Year  2000  problem, 
omb’s  reporting  guidance  for  selected  federal  agencies  requests  that  these 
organizations  provide  quarterly  reports  on  the  status  of  their  Year  2000 
efforts.  Other  organizations  are  requiring  even  more  frequent  reporting. 
For  example,  the  Treasury  Department  is  requiring  its  bureaus  to  report 
their  status  monthly.  More  frequent  reporting  by  sec  would  help  to  identify 
any  problems  sooner  and  thus  provide  Congress  and  sec  additional  time  to 
take  action  should  the  need  arise. 


Conclusions 


Because  sec  was  primarily  concerned  with  promoting  and  assessing 
awareness  of  the  Year  2000  problem,  its  June  1997  report  focirsed  on  the 
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early  stages  of  the  industry’s  preparations  for  the  year  2000  and  did  not 
provide  specific  information  on  the  status  of  particular  systems.  However, 
as  the  year  2000  approaches,  information  similar  to  that  required  by  omb, 
but  reported  more  frequently,  would  provide  a  better  indication  of  the 
progress  being  made  to  ensure  the  readiness  of  systems  critical  to  the 
continued  functioning  of  the  U.S.  securities  markets. 


Recommendation 


We  recommend  that  the  Chairman,  sec,  include  in  sec’s  Year  2000  status 
reports  to  Congress  information  similar  to  that  required  of  other  federal 
agencies  by  omb.  Specifically,  sec  reports  should  include  information  on 

the  systems  critical  to  the  continued  functioning  of  the  U.S.  securities 
markets; 

the  progress  made  in  moving  critical  systems  through  the  various  phases 
of  achieving  Year  2000  compliance; 

the  time  frames  required  to  complete  each  phase  of  the  process; 
the  efforts  necessary  to  address  systems  that  are  behind  schedule;  and 
the  contingency  plans  for  systems  that  may  not  be  ready  in  time. 

SEC  should  also  report  such  information  more  frequently,  such  as  quarterly 
update  briefings,  to  keep  Congress  informed  as  the  year  2000  approaches. 


Agency  Comments 
and  Our  Evaluation 


SEC  provided  us  with  written  comments  on  a  draft  of  this  report.  (See  app. 
11.)  SEC  generally  agreed  with  our  recommendation  that  it  report  more 
specific,  detailed  information  to  Congress  on  the  industry’s  Year  2000 
progress,  sec  also  agreed  with  our  suggestions  to  focus  particularly  on  the 
industry’s  overall  progress  in  moving  its  operations  through  the  various 
phases  of  achieving  Year  2000  compliance  and  on  providing  contingency 
planning  information  for  the  1998  report,  sec  also  agreed  that  an  annual 
report  to  Congress  may  not  provide  sufficiently  timely  information.  It  said 
that  it  is  currently  providing  briefings  to  certain  congressional  staff  and 
would  be  willing  to  include  the  staff  of  any  member  of  Congress  in  such 
briefings.  If  made  available  to  all  interested  Members  and  staff  and 
conducted  as  frequently  as  needed,  such  briefings  could  meet  the  intent  of 
our  reconunendation. 

SEC  stated,  however,  that  omb  reporting  requirements  are  not  a  workable 
model  for  reporting  on  the  systems  of  entities  that  sec  regulates. 
Specifically,  sec  stated  that  it  is  not  feasible  to  provide  all  the  information 
required  by  omb  for  the  mission  critical  and  non-mission-critical  systems  of 
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every  regulated  entity  in  the  securities  industry  because  of  the  size  of  the 
industry,  limited  sec  resources,  and  the  sec’s  sharing  of  oversight 
authority. 

We  used  the  omb  reporting  requirements  as  an  example  of  how  sec  could 
improve  its  reporting  on  the  progress  being  made  to  ensure  the  readiness 
of  systems  critical  to  ongoing  market  operations.  We  did  not  intend  that 
SEC  report  detailed  information  for  the  mission-critical  and 
non-mission-critical  systems  of  each  regulated  entity,  although  each  entity 
should  be  tracking  the  progress  of  its  own  systems.  We  believe  that,  for 
Congress  to  have  the  information  necessary  to  assess  industry  readiness, 
SEC  needs  to  identify  and  provide  detailed  information  on  those  systems 
that  are  critical  to  the  functioning  of  the  industry  as  a  whole.  Such  systems 
likely  include  those  related  to  trading,  clearing,  and  other  functions 
important  to  market  operations,  as  well  as  those  used  by  major  market 
participants.  We  revised  the  text  and  recommendation  to  clarify  our  intent 
and  discuss  alternative  ways  to  consolidate  information  about  these 
critical  systems  in  appendix  I.  For  example,  rather  than  reporting  the 
status  of  systems  for  every  member  of  an  exchange  or  eveiy  broker-dealer, 
SEC  could,  at  a  minimimi,  report  on  the  combined  status  of  the  systems  for 
the  major  exchanges  and  largest  broker-dealers. 


As  arranged  with  your  office,  unless  you  publicly  announce  this  report’s 
contents  earlier,  we  plan  no  further  distribution  of  it  until  16  days  after  the 
date  of  the  letter.  We  will  then  send  copies  to  other  interested  members  of 
Congress,  sec,  the  New  York  Stock  Exchange,  the  National  Association  of 
Securities  Dealers,  and  other  relevant  organizations.  Copies  will  be  made 
available  to  others  on  request. 

Please  contact  me  on  (202)  512-8678  if  you  or  your  staff  have  any 
questions.  Major  contributors  to  this  report  are  listed  in  appendix  Ill. 

Sincerely  yours. 


Richard  J.  Hillman 
Associate  Director 

Financial  Institutions  and  Markets  Issues 
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Appendix  I _ _ _ _ _ 

Example  of  Reporting  Format  for 
Information  on  Mission-Critical  Systems 
Used  by  Various  Securities  Market 
Participants  _ 

The  following  table  represents  a  possible  format  for  reporting  information 
on  the  readiness  of  securities  market  participants’  electronic  systems. 
Other  equally  acceptable  reporting  formats  or  means  of  presenting  this 
information  likely  exist.  The  format  presented  here  seeks  to  capture 
several  key  aspects  of  the  information,  including  some  measure  of 
importance  for  the  entities  (such  as  percentage  of  market  trading  volume); 
the  extent  to  which  systems  are  already  compliant;  and  for  those  that  are 
not,  how  far  along  in  the  six  phases  of  the  Year  2000  readiness  process 
they  are.  The  names  of  individual  organizations  would  not  have  to  be 
identified  but  instead  information  could  be  combined  and  presented  for 
groups  of  organizations,  as  shown.  Further,  the  percentage  of  systems  that 
have  completed  each  Year  2000  phase  may  not  accurately  reflect  the 
amount  of  work  remaining  to  be  done  if  the  larger  systems  with  more  lines 
of  code  remain  unfinished.  In  such  cases,  market  participants  could 
disclose  more  information  to  better  describe  the  actual  work  remaining. 
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Table  L1 :  Example  of  Format  for 
Reporting  on  Status  of  Mission-Critical 
Systems  Used  by  Major  Securities 
Market  Participants 


Appendix  1 

Example  of  Reporting  Format  for 
Information  on  Mission-Critical  Systems 
Used  by  Various  Securities  Market 
Participants 


Major  market  participant 

Percentage  of  total  market 
trading  volume 

Total  number  of 
mission-critical  systems 

Exchanges 

Major  exchanges 

xx% 

xx% 

Other  exchanges 

xx% 

xx% 

All  options  exchanges 

xx% 

xx% 

Clearing  organizations 

Major  clearing  organizations 

xx% 

xx% 

Other  clearing  organizations 

xx% 

xx% 

Broker-dealers 

Top  10  firms 

xx% 

xx% 

Other  firms^ 

xx% 

xx% 

Investment  companies 

Top  10  firms 

xx% 

xx% 

Other  firms'^ 

xx% 

xx% 
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Example  of  Reporting  Format  for 
Information  on  Mission-Critical  Systems 
Used  by  Various  Securities  Market 
Participants 


Percentage  of  systems  completed  by  phase  of  Year  2000  readiness _ _ 

Awareness  Assessment  Remediation _ Internal  testing  Integrated  testing  Implementation 

Milestone:  (date)  Milestone:  (date)  Milestone:  (date)  Milestone:  (date)  Milestone:  (date) _ Milestone:  (date) 


XX% _ XX% _ XX% _ XX% _ )«% _ )«% 

xx%  xx% _ xx% _ xx% _ xx% _ 

xx%  xx%  xx%  XX% 


xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

xx% 

^Results  from  SRO  and/or  SEC  examinations  for  other  firms  could 

be  reported  here. 

•^Results  from  SRO  and/or  SEC  examinations  for  other  firms  could 

be  reported  here. 

Source;  GAO. 


Page  17 


GAO/GGD/AIMD-98-51  SEC  Year  2000  Report 


Appendix  11 


Comments  From  SEC 


UNITED  STATES 

SECURITIES  AND  EXCHANGE  COMMISSION 

WASHINGTON.  D.C.  20549 


January  28,  1998 


Thomas  J.  McCool 

Director,  Financial  Institutions  and  Market  Issues 
United  States  General  Accounting  Office 
Washington,  DC  20548 

Dear  Mr.  McCool: 

The  Securities  and  Exchange  Commission  ("SEC”)  appreciates  the  opportunity  to 
comment  on  the  Government  Accounting  Office’s  ("GAO")  draft  report,  Obser\'ations  on  the 
Securities  and  Exchange  Commission’s  Report  on  the  Readiness  of  the  Securities  Industrt^  to 
Address  the  Year  2000  Computer  Problems.  Overall,  we  have  found  the  GAO’s 
observations  regarding  the  content  and  format  of  the  SEC’s  annual  Year  20CX}  report  to 
Congress  to  be  very  helpful. 

We  agree  that  an  annual  report  to  Congress  may  not  provide  sufficiently  timely 
information.  The  SEC  currently  is  providing  briefings  to  certain  Congressional  staff.  We 
have  no  objection  to  including  the  staff  of  any  member  of  Congress  in  such  briefings.  These 
briefings  w'ould  be  less  formal  and  therefore  more  flexible  than  written  reports  or  testimony, 
and  also  place  less  of  a  burden  on  limited  SEC  resources. 

In  its  report,  the  GAO  also  recommends  that  the  SEC  identify  the  status  of  mission 
critical  and  non-mission  critical  systems  tow'ards  Year  2000  readiness  for  both  SEC  systems 
and  industry  participant  systems.  In  particular,  GAO  refers  to  Office  of  Management  and 
Budget  C'OMB”)  reporting  guidelines  for  selected  federal  agencies.  The  0MB  guidelines 
include  identifying  systems  critical  to  ongoing  operations  and  progress  made  in  moving  those 
systems  through  the  various  phases  of  achieving  Year  2000  compliance.  We  agree  that  the 
SEC  can  provide  information  similar  to  the  OMB  reporting  standards  for  the  SEC’s  internal 
systems. 

We  strongly  believe  that  the  OMB  reporting  standards  are  not  a  workable  model  for 
reporting  on  the  systems  of  entities  regulated  by  the  SEC  for  a  number  of  reasons.  A  major 
consideration  is  the  size  of  the  industiyT  In  1997,  there  were  approximately  8,500  broker- 
dealers,  25  self-regulatory  organizations  ("SROs"),  748  transfer  agents,  4,811  investment 
companies,  and  23,350  investment  advisers  registered  with  the  Commission.  Obtaining  and 
compiling  specific  quantitative  information  on  both  mission  critical  and  non-mission  critical 
systems  for  these  entities  would  be  beyond  the  capacity  of  SEC  staff  resources.  In  addition, 
ftnancial  service  computer  systems  are  highly  integrated,  so  it  is  difuculi  to  completely 
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separate  the  operation  of  "mission  critical”  systems  from  "non-mission  critical”  systems. 
Instead,  the  SEC  has  found  it  useful  to  assume  that  all  systems  that  relate  to  the  industry's 
business  are  mission  critical,  and  to  focus  on  enterprise  wide  remediation  efforts  rather  than 
assessing  system  by  system  remediation  for  thousands  of  entities. 

Given  the  size  of  the  financial  services  community,  the  limited  resources  of  the  SEC, 
and  the  sharing  of  oversight  authority,  it  is  not  feasible  for  the  SEC  to  provide  all  the 
information  suggested  by  the  GAO  for  every  regulated  entity  in  the  securities  industr>\ 
Nevertheless,  the  SEC  can  adopt  many  of  the  GAO's  suggestions  to  provide  a  more  detailed 
and  quantitative  report  to  Congress.  In  particular,  the  SEC  can  report  on  the  industry's 
overall  progress  made  in  moving  their  operations  through  the  various  phases  of  achieving 
Year  2000  compliance,  and  will  include  information  on  the  projected  time  frames  required  to 
complete  each  phase  of  the  process.  We  can  provide  more  specific  information  for  SROs 
delineated  by  percent  of  securities  trading  volume  represented  in  aggregate  by  the  SROs  at 
each  phase  of  the  conversion  process.  As  we  mentioned  to  Ihe  GAO,  the  Securities  Industiy^ 
Association  ("SIA")  is  leading  an  intense,  w^ell-rounded  industry^  effort  to  bring  broker-dealer 
systems  into  compliance  and  conduct  industry  wide  testing.  The  SEC  supports  this  effort  and 
has  adopted  SIA  guidelines  and  timetables  as  the  most  appropriate  measure  for  industry 
efforts.  Accordingly,  we  will  include  specific  reference  to  the  SIA  standards  and  timeframes 
in  future  reports. 

With  regard  to  contingency  planning,  the  GAO  report  notes  that  the  SEC's  report  did 
not  provide  information  concerning  the  steps  to  be  taken  to  address  systems  or  organizations 
that  have  fallen  behind  in  addressing  the  Year  2000  problem.  The  SEC  agrees  that 
contingency  planning  is  vital  to  the  Year  2000  planning  process,  but  determined  that  other 
aspects  of  the  conversion  process  took  precedence  in  1997.  Contingency  planning  will  be  a 
major  focus  of  SEC  efforts  in  1998.  The  SEC  is  now  focusing  on  the  industry's  contingency 
plans,  including  measures  regarding  entities  that  are  behind  schedule  or  may  not  be 
compliant.  As  recommended  by  the  GAO,  the  SEC  will  include  in  its  future  reports  to 
Congress  information  regarding  efforts  necessary  to  address  systems  that  are  behind  schedule 
and  the  contingency  plans  for  systems  that  may  not  be  ready  on  time. 

If  you  have  any  questions  or  regarding  these  comments,  please  contact  Howard 
Kramer,  Senior  Associate  Director,  at  (202)  942-0180. 
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The  first  copy  of  each  GAO  report  and  testimony  is  free. 
Additional  copies  are  $2  each.  Orders  should  be  sent  to  the 
following  address,  accompanied  by  a  check  or  money  order 
made  out  to  the  Superintendent  of  Documents,  when 
necessary.  VISA  mid  MasterCard  credit  cards  are  accepted,  also. 
Orders  for  100  or  more  copies  to  be  mailed  to  a  single  address 
are  discounted  25  percent. 

Orders  by  mail: 

U.S.  General  Accounting  Office 
P.O.  Box  37050 
Washington,  DC  20013 

or  visit: 

Room  1100 

700  4th  St.  NW  (corner  of  4th  and  G  Sts.  NW) 

U.S.  General  Accounting  Office 
Washington,  DC 

Orders  may  also  be  placed  by  calling  (202)  512-6000 

or  by  using  fax  number  (202)  512-6061,  or  TDD  (202)  512-2537. 

Each  day,  GAO  issues  a  list  of  newly  available  reports  and 
testimony.  To  receive  facsimile  copies  of  the  daily  list  or  any 
list  from  the  past  30  days,  please  call  (202)  512-6000  using  a 
touchtone  phone.  A  recorded  menu  will  provide  information  on 
how  to  obtain  these  lists. 

For  information  on  how  to  access  GAO  reports  on  the  INTERNET, 
send  an  e-mail  message  with  "info"  in  the  body  to: 

info@www.gao.gov 

or  visit  GAO’s  World  Wide  Web  Home  Page  at: 
http://www.gao.gov 
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